topic Re: How to get a field from a unique transaction and group another transaction by the unique field? in Splunk Search

How to get a field from a unique transaction and group another transaction by the unique field?

jegreene — Tue, 11 Oct 2016 13:48:21 GMT

I have an event that will generate a login string for a user. Once that login string is generated, the connection string should be tied to that very same login string and be able to be grouped by. However, that login string only exists in the initial connection.

When the connection string is generated, a unique token is tied to it, lets say it's 10. I want to count the number of times the unique token happens (lets say it's 45) and group by the login string.

Variable:
LoginString
Connections
UT=10
UT=45

So essentially I want to grab the login string where UT=10 and then tie that LoginString to the Connections. I want to then count the number of times UT=45 happens on that same connection, and group that count by LoginString in a timechart

Re: How to get a field from a unique transaction and group another transaction by the unique field?

somesoni2 — Tue, 11 Oct 2016 16:03:32 GMT

Can we have some sample events.

Re: How to get a field from a unique transaction and group another transaction by the unique field?

sundareshr — Tue, 11 Oct 2016 16:03:47 GMT

Not sure I understand your question. Sharing some samples might help. In the meantime, try something like this

base search | eventstats values(login_string) as LS by unique_token | stats count(eval(UT=45)) by Connection_String

Re: How to get a field from a unique transaction and group another transaction by the unique field?

jegreene — Tue, 11 Oct 2016 16:34:33 GMT

[01/May/2015:20:39:47 -0400] Connections=12345  - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=12345  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="randomString"
[01/May/2015:20:39:47 -0400] Connections=12345  - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=223333  - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=223333  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
[01/May/2015:20:39:47 -0400] Connections=55555  - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=55555  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
[01/May/2015:20:39:47 -0400] Connections=55555  - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=55555  - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=55555  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"

In this instance I would want my timechart to have 2 for randomString and 1 for notSoRandom and 3 for VeryUnRandom

The issue I am having is how do I group by the LoginString. Right now if I transaction by Connections I have a giant string of the UT=45 and UT=10 but all I want is the count for the number of UT=10 appears in the event

Re: How to get a field from a unique transaction and group another transaction by the unique field?

sundareshr — Tue, 11 Oct 2016 16:46:14 GMT

Try this

base search | eventstats values(loginString) as LS by Connections | where UT=45 | stats count by LS